Establishing security over converged ethernet with tcp credential appropriation

ABSTRACT

A system for establishing a secure connection is described. The system includes a remote direct memory access over converged Ethernet (RoCE) adapter and host device. The host device includes a processor configured to establish a Transmission Control Protocol (TCP) connection between the host device and a client device via the host device network adapter. The host device forwards Internet Protocol Security (IPSec) Security Associations (SAs) and related keys to a host device Remote Direct Memory Access over Converged Ethernet (RoCE) adapter operatively connected with the host device for remote direct memory access. The RoCE adapter communicates protected data to and from the client device over an RoCE connection using the IPSec SAs and related keys.

BACKGROUND

The present disclosure relates to internet communication security, andmore specifically, to establishing security over converged Ethernet byappropriating Internet Protocol Security (IPSec) Security Association(SA) credentials.

Many industries require Internet Protocol Security (IPSec) for anyinternet protocol (IP) network traffic that must flow over unique IPsubnets (e.g., security zones). Consequently, many platforms createinfrastructure to support IPSec and build in separate security featuresto administrate their own security ecosystem. For example, someplatforms are configured to satisfy IPSec security requirements forinterfacing with different IP endpoints. These same users may extendtheir existing management and security capabilities (IPSec policies,SAs, and administrative controls) to Remote Direct Memory Access overConverged Ethernet (RoCE) connections to the same endpoints that areassociated with existing Transmission Control Protocol (TCP)connections. They do this by defining separate IPSec policies for theRoCE connections. Establishing separate security credentials for theRoCE connections can consume processing time and resources for the newconnection, in addition to requiring additional security andadministrative configuration. From another viewpoint, establishing ablanket security policy that encrypts all RoCE connections mayover-protect data streams that do not require security. By performingIPSec where it is not required by policy or at a cryptographic strengthhigher than what is required by policy, valuable resources may bewasted.

SUMMARY

According to an embodiment of the present invention, acomputer-implemented method for establishing a secure connection isdescribed. The method includes establishing a Transmission ControlProtocol (TCP) connection between a host device and a client device viaa host device network adapter. The host device forwards InternetProtocol Security (IPSec) Security Associations (SAs) and related keysto a host device Remote Direct Memory Access over Converged Ethernet(RoCE) adapter on the host device for remote direct memory access. TheRoCE adapter on the host device communicates protected data via the RoCEadapter operatively connected with the host device to and from theclient device over the RoCE connection using the IPSec SAs and relatedkeys.

According to other embodiments, a system for establishing a secureconnection is described. The system includes a remote direct memoryaccess over converged Ethernet (RoCE) adapter and host device. The hostdevice includes a processor configured to establish a TransmissionControl Protocol (TCP) connection between the host device and a clientdevice via the host device network adapter. The host device forwardsInternet Protocol Security (IPSec) Security Associations (SAs) andrelated keys to a host device Remote Direct Memory Access over ConvergedEthernet (RoCE) adapter operatively connected with the host device forremote direct memory access. The RoCE adapter communicates protecteddata to and from the client device over a RoCE connection using theIPSec SAs and related keys.

According to another embodiment of the present invention, a computerprogram product is also described. The computer program product includesa computer-readable storage medium that has program instructions savedupon it that are executable by a processor to cause a computer toperform a method for establishing a secure connection over transmissioncontrol protocol (TCP). The program instructions perform a method thatincludes establishing a Transmission Control Protocol (TCP) connectionbetween a host device and a client device via a host device networkadapter. The host device forwards Internet Protocol Security (IPSec)Security Associations (SAs) and related keys to a host device RemoteDirect Memory Access over Converged Ethernet (RoCE) adapter on the hostdevice for remote direct memory access. The RoCE adapter operativelyconnected with the host device communicates protected data via the RoCEadapter on the host device to and from the client device over the RoCEconnection using the IPSec SAs and related keys.

BRIEF DESCRIPTION OF THE DRAWINGS

The subject matter which is regarded as the invention is particularlypointed out and distinctly claimed in the claims at the conclusion ofthe specification. The forgoing and other features, and advantages ofthe invention are apparent from the following detailed description takenin conjunction with the accompanying drawings in which:

FIG. 1 depicts a system for establishing a secure connection accordingto one embodiment of the present invention;

FIG. 2 illustrates an aspect of the system of FIG. 1 according to oneembodiment of the present invention;

FIG. 3 depicts a method for establishing a secure connection accordingto embodiments of the present invention;

FIG. 4 depicts a cloud computing environment, according to oneembodiment of the present invention;

FIG. 5 depicts abstraction model layers, according to one embodiment ofthe present invention; and

FIG. 6 depicts a block diagram of a computer system and environment,according to one embodiment of the present invention.

DETAILED DESCRIPTION

Several technologies used in embodiments of the invention are firstconsidered in the following paragraphs. Next, a general overview of oneor more embodiments is given. Finally, detailed descriptions of each ofthe claimed embodiments are described.

As used herein, Internet Protocol Security (IPSec) describes a protocolsuite for secure Internet Protocol (IP) communications. IPSec usescryptographic security services to protect communications over IPnetworks. IPSec supports network-level peer authentication, data-originauthentication, data integrity, data confidentiality (encryption), andreplay protection. In general, IPSec works by authenticating andencrypting each IP packet of a communication session between connectionpeers (also referred to as agents or hosts). An Internet Key Exchange(IKE) protocol includes protocols for establishing mutual authenticationbetween agents at the beginning of the session and negotiation ofcryptographic keys for use during the session. IPSec can protect dataflows between a pair of hosts (host-to-host), between a pair of securitygateways (network-to-network), or between a security gateway and a host(network-to-host). Most IPSec implementations consist of an IKE daemonthat runs in user space and an IPSec stack in the kernel that processesthe actual internet protocol (IP) packets.

Remote direct memory access (RDMA) is an InfiniBand Trade Association(IBTA) standard that enables remote direct memory access over a network.RDMA is available on standard Ethernet-based networks by using the RDMAover Converged Ethernet (RoCE). RoCE enables the use of both standardTCP/IP and RDMA solutions such as Shared Memory Communications over RDMA(SMC-R) over the same physical local area network (LAN) fabric.

Shared memory communications (SMC) over remote direct memory access(SMC-R) is a protocol solution that allows sockets over RDMA. SMC-Renables TCP sockets applications to transparently use RDMA, whichenables direct, high-speed, low-latency, memory-to-memory (peer-to-peer)communications. The TCP/IP stacks on communicating peers dynamicallylearn about the shared memory capability by using traditional TCP/IPconnection establishment flows, enabling the TCP/IP stacks to switchfrom TCP network flows to optimize direct memory access flows that useRDMA. Using RDMA reduces networking stack overhead by using streamlined,low-level RDMA interfaces that are separate from the standard networkadapter. RDMA is generally supported with a “lossless” network fabricsuch as a LAN for layer 2 data, and an RDMA-capable network interfacecard (NIC) and R-capable switch connecting the hosts.

All of the IPSec policy is stored and managed on the host. It is up tothe host's IPSec component in the TCP/IP stack to forward any policyrules, SAs, keys, etc. to the RoCE adapter. Since it is not known inadvance which RoCE link will be used for a given session, it can bedifficult for a security administrator to write an IPSec policy that isappropriate to the traffic that may be carried over that link. In mostcases all of the policy is written for the TCP traffic only. That policyis then inherited by the associated SMC-R connections as part of theassociation with a given TCP connection. It should be noted that thesecurity used for IPSec links operating with RoCE protocols should be atleast as strong as that required by the IPSec policy written for theTCP/IP connection for the initial TCP endpoints. If the protocols arenot at least as secure as the IPSec policy for TCP/IP, then somesensitive traffic may be at risk while other traffic routed across theconnection is not. Thus, having an under-protected blanket policy is notadvantageous.

Although a blanket policy specifying the highest available cryptographyfor traffic could be efficient from an administrative perspective, itmay not be advantageous to “over-protect” traffic by performing IPSecwhere it is not required by policy. For example, in some instances, notall traffic flowing across a data stream is sensitive and necessitatesencryption. Even when not the highest available cryptographic protocol,it may be disadvantageous to set cryptographic strength higher than whatis required by the policy because it can waste resources like memoryallocation, bandwidth, processing time, etc.

Now, by way of a general overview of one or more embodiments, a systemfor establishing a secure connection is depicted in FIG. 1. System 100includes two operatively connected devices (host device 102 and clientdevice 104) that logically share shared memory 108 and 124 using RoCEnetwork 116. System 100 includes an SMC-R enabled platform 106 runningon host device 102 (hereafter “host SMC-R 106”) and an SMC-R platform120 (hereafter “client SMC-R 120”) running on client device 104. HostSMC-R 106 includes shared memory 108 and a virtual server 110 running ashared memory communications (SMC) protocol 112. Similarly, clientdevice 104 includes shared memory 124 and a virtual client server 128running a SMC protocol 226.

Host device 102 also includes a RoCE adapter 114. As explained ingreater detail in FIG. 2, RoCE adapter 114 is separate, eitherphysically, logically, or both, from a network interface adapter 118installed on host device 102. Client device 104 includes a RoCE networkinterface adapter 115 separate from a network interface adapter 130. Insome embodiments, the network interface adapter 115 is logicallyseparate from network interface adapter 130 but physically embodied as asingle device. In other embodiments the adapters may be physicallyseparate devices. Adapters 118 and 130 perform a TCP 3-way handshake toestablish a TCP connection 134 between host device 102 and client device104. During this handshake, information is exchanged to indicate supportfor SMC-R. If both devices support SMC-R, then additional messages areexchanged, first over the TCP connection 134, and then, if necessary,over the RoCE adapters 114 and 115, to create an SMC-R connection 132.If IPSec security associations are installed in the host to protect TCPconnection 134, each device forwards its respective IPSec SAs andrelated keys to its respective RoCE adapter so that the IPSec logic inthe adapters can use the IPSec SAs to protect the data that flows overSMC-R connection 132. Once SMC-R connection 132 is established and theIPSec SAs are installed, RoCE adapter 114 communicates protected RoCEcommunications across RDMA enabled SMC-R connection 132. Host device 102and client device 104 include one or more processors (for example,processor 601 as shown in exemplary computer 600 shown in FIG. 6) thathave awareness and control over the IP addresses used by the RoCEadapters 114 and 115 for RoCE traffic.

According to one embodiment, SMC-R enables virtual servers 110 and 128that support RDMA enabled RoCE to logically share memory 108 and 124over the RDMA enabled RoCE network 116. When a server (e.g., virtualserver 110) that supports RDMA enabled RoCE detects that a remote TCPconnection partner (e.g., virtual client 128) supports shared memorycommunications, the TCP connection 134 is transparently and dynamicallyswitched by a processor in host device 102 from TCP/IP to use SMC-Rprotocols via a RoCE adapter 115. The applications running on virtualserver 110 are unaware of the use of shared memory 108 forcommunications. For example, SMC-R uses TCP socket applications totransparently exploit RDMA.

FIG. 2 shows another aspect of system 100, depicting the middlewarelayer 202 and socket layer 204 for communication between connecteddevices 102 and 104. Referring now to FIG. 2, once a set of SAs 206 and208 are negotiated by the server-side Internet Key Exchange (IKE) serverprocess (e.g., those running on host device 102), processor 601 pushesthe resulting security association(s) (SA) and related keys(collectively 113) into the RoCE adapter 114 for runtime use by theadapter's IPSec process. In the present description, it is assumed thatthe negotiation of IPSec security associations will be performed by theIKE protocol that is running on the host device 102 rather than the RoCEadapter 114 itself.

The RDMA attribute information is exchanged within the TCP sync flows onTCP connection 134, and the socket application data is exchanged betweenthe connected hosts (e.g., host device 102 and client device 104) viaSMC-R connection 132 operating over RDMA enabled RoCE network 116. TheTCP connection 134 remains active during the socket application dataexchange and controls the SMC-R connection 122, but all data flows overthe RoCE connection 132. This model preserves many critical existingoperational and network management features of TCP/IP.

Processor 601 also pushes IP filter rules with the source anddestination address of the RoCE link endpoints down to the RoCE adapter114. In some aspects, these filter rules are used by the adapter IPSecprocess to locate the correct security associations for outboundprocessing and to verify that the correct security associations wereused for inbound processing. According to one embodiment, where thesolution requires multiple SAs, processor 601 creates multiple IPaddresses, each associated with a unique RoCE reliably connected queuepair, between processor 601 and another device (e.g., client device104).

FIG. 3 depicts one or more embodiments of the present invention ingreater detail. Referring now to FIG. 3, a computer-implemented method300 for establishing a secure connection is described. As shown in block302, processor 601 initiates a TCP connection 134 with a client device104. If the IPSec SAs 206 and 208 do not already exist, initiating theTCP connection between the host device 102 and the client device 104causes the IPSec SAs 206 and 208 to be created via a processor 601 overthe host device network adapter 118. Accordingly, once the SAs are inplace, a TCP 3-way handshake is made between the host device 102 and theclient device. The 3-way handshake is protected by the IPSec SAs 206 and208. Next, Connection Layer Control (CLC) messages 133 are exchangedover the TCP connection using adapter 118 to negotiate the shared memorycommunications over remote direct memory access (SMC-R) with the clientdevice 104. Once the CLC exchange completes successfully (and if thereis not already a suitable queue pair available between the twoendpoints), then a connection between the RoCE adapters is establishedover a new Reliably Connected Queue Pair (RC-QP, or “QP”). It is thisqueue pair over which the application data will flow

After establishing the TCP connection and negotiating, at block 304processor 601 forwards the IPSec SAs 206 b and related keys from theIPSec component of TCP/IP stack 207 (collectively 113) to RoCE adapter114 on host device 102.

In one aspect, the processor on RoCE adapter 114 establishes a queuepair (QP) with the RoCE adapter 115 on client device 104 after thenegotiation, where the QP is based on the RDMA credentials negotiated inthe CLC exchange. Accordingly, RoCE establishes its own new userdatagram protocol (UDP) port in its own TCP/IP stack. This UDP port isconnected to the new QP and allows the RoCE adapter to transmit andreceive UDP encapsulated messages over the QP. With the QP in place,RoCE determines a connection rule for a new UDP port. The connectionrule is based on a cryptographic encryption level. More specifically,the connection rule may be based on the SAs that were forwarded by thehost device.

In some embodiments of the present invention, the connection ruledetermines whether the established queue pair (QP) has a highestavailable cryptographic protection, and the processor requests the QPhaving the highest available cryptographic protection by default. Inother aspects, RoCE adapter 114 determines whether all data traffic thatwill flow on the RoCE adapter will require cryptographic protection.

According to some embodiments, it may be possible to have multiplelevels of security—i.e., strongest security available, medium strength,and no protection at all. According to one embodiment, each securitylevel has its own QP and SAs. Responsive to determining that less thanall data traffic that will flow on RoCE adapter 114 will requirecryptographic protection, a new connection proposal message is forwardedto RoCE adapter 115 on the client device 104 requesting two sets of QPs:a first QP having no cryptographic protection, and a second QP havingthe highest available cryptographic protection, and in some embodiments,a third QP having an intermediate level of cryptograph protection.Accordingly, the processor on the RoCE adapter 114 establishes a firstQP and a second QP, where the first QP has the highest availablecryptographic protection and the second QP has no cryptographicprotection. The third QP may be established as needed.

In some aspects, processor 601 may determine that less than all datatraffic that will flow on the new UDP port will require cryptographicencryption. For example, there may be sufficient data traffic thatconsists of general (non-secured) internet traffic or other data flows.It is beneficial, then, to conserve computing resources and datatransmission bandwidth resources that may be unnecessarily consumed byover-protecting data flows. In such cases, processor 601 may establishthe QP having no cryptographic protection or an intermediate level ofcryptographic protection.

In one aspect, it may be beneficial to create two or more levels ofsecurity for the data flows. Processor 601 may write the connection rulethat requests the first predetermined QP having the highest availablecryptographic protection pair for a new connection. The connection rulealso requests the second predetermined SA pair having no cryptographicprotection for a second new connection. Accordingly, processor 601establishes the first new connection for IPSec traffic and establishesthe second new connection for non-IPSec traffic. In this way, resourcesneeded for encryption are not expended on the second connection dataflows having non-critical information (that do not need IPSec security).Accordingly, the new port is established using credentials (SAs 206)appropriated from the initial IKE connection process.

In other embodiments, it may be beneficial to create a third level ofsecurity for the data flows with an encryption level that is more thanno encryption, and yet does not need the protection of the highest levelof cryptographic protection available, which are more constraining onsystem resources. Accordingly, processor 601 may write a connection rulethat requests the third predetermined QP.

In some aspects of the present invention, a cloud computing model may beused in one or more embodiments. A discussion on cloud computing isprovided as background for such embodiments.

It is understood in advance that although this disclosure includes adetailed description on cloud computing, implementation of the teachingsrecited herein are not limited to a cloud computing environment. Rather,embodiments of the present invention are capable of being implemented inconjunction with any other type of computing environment now known orlater developed.

Cloud computing is a model of service delivery for enabling convenient,on-demand network access to a shared pool of configurable computingresources (e.g., networks, network bandwidth, servers, processing,memory, storage, applications, virtual machines, and services) that canbe rapidly provisioned and released with minimal management effort orinteraction with a provider of the service. This cloud model can includeat least five characteristics, at least four service models, and atleast four deployment models.

Characteristics of a Cloud Model:

On-demand self-service: a cloud consumer can unilaterally provisioncomputing capabilities, such as server time and network storage, asneeded automatically without requiring human interaction with theservice's provider.

Broad network access: capabilities are available over a network (e.g.,network 606, as depicted in FIG. 6) and accessed through standardmechanisms that promote use by heterogeneous thin or thick clientplatforms (e.g., mobile phones, laptops, and PDAs).

Resource pooling: the provider's computing resources are pooled to servemultiple consumers using a multi-tenant model, with different physicaland virtual resources dynamically assigned and reassigned according todemand. There is a sense of location independence in that the consumergenerally has no control or knowledge over the exact location of theprovided resources but can be able to specify location at a higher levelof abstraction (e.g., country, state, or datacenter).

Rapid elasticity: capabilities can be rapidly and elasticallyprovisioned, in some cases automatically, to quickly scale out andrapidly released to quickly scale in. To the consumer, the capabilitiesavailable for provisioning often appear to be unlimited and can bepurchased in any quantity at any time.

Measured service: cloud systems automatically control and optimizeresource use by leveraging a metering capability at some level ofabstraction appropriate to the type of service (e.g., storage,processing, bandwidth, and active user accounts). Resource usage can bemonitored, controlled, and reported providing transparency for both theprovider and consumer of the utilized service.

Service Models:

Software as a Service (SaaS): the capability provided to the consumer isto use the provider's applications running on a cloud infrastructure.The applications are accessible from various client devices through athin client interface such as a web browser (e.g., web-based e-mail).The consumer does not manage or control the underlying cloudinfrastructure including network (e.g., network 606, as depicted in FIG.6), servers, operating systems, storage, or even individual applicationcapabilities, with the possible exception of limited user-specificapplication configuration settings.

Platform as a Service (PaaS): the capability provided to the consumer isto deploy onto the cloud infrastructure consumer-created or acquiredapplications created using programming languages and tools supported bythe provider. The consumer does not manage or control the underlyingcloud infrastructure including networks (e.g., network 606, as depictedin FIG. 6), servers, operating systems, or storage, but has control overthe deployed applications and possibly application hosting environmentconfigurations.

Infrastructure as a Service (IaaS): the capability provided to theconsumer is to provision processing, storage, networks (e.g., network606, as depicted in FIG. 6), and other fundamental computing resourceswhere the consumer is able to deploy and run arbitrary software, whichcan include operating systems and applications. The consumer does notmanage or control the underlying cloud infrastructure but has controlover operating systems, storage, deployed applications, and possiblylimited control of select networking components (e.g., host firewalls).

Database as a Service (DBaaS): a cloud-based approach to the storage andmanagement of structured data that delivers database functionalitysimilar to what is found in relational database management systems(RDBMSs) such as, for example, SQL Server, MySQL, and Oracle. DBaaSprovides a flexible, scalable, on-demand platform oriented towardself-service and database management, particularly in terms ofprovisioning a business' own environment. DBaaS systems can includemonitoring engines to track performance and usage, error monitoring, anddata analysis engines.

Deployment Models:

Private cloud: the cloud infrastructure is operated solely for anorganization. It can be managed by the organization or a third party andcan exist on-premises or off-premises.

Community cloud: the cloud infrastructure is shared by severalorganizations and supports a specific community that has shared concerns(e.g., mission, security requirements, policy, and complianceconsiderations). It can be managed by the organizations or a third partyeither locally or remotely.

Public cloud: the cloud infrastructure is made available to the generalpublic or a large industry group and is owned by an organization sellingcloud services.

Hybrid cloud: the cloud infrastructure is a composition of two or moreclouds (private, community, or public) that remain unique entities butare bound together by standardized or proprietary technology thatenables data and application portability (e.g., cloud bursting forload-balancing between clouds).

Referring now to FIG. 4, a cloud computing environment 400 for use inpracticing the teachings herein is depicted. As shown in FIG. 4, cloudcomputing environment 400 comprises one or more cloud computing nodes412 with which local computing devices used by cloud consumers, such as,for example, a computing device 414, a desktop computer 416, a laptopcomputer 418, and/or an automobile computer system 419 can communicate.Cloud computing nodes 412 can communicate with one another. They can begrouped (not shown) physically or virtually, in one or more networks410, such as a Private, Community, Public, or Hybrid clouds as describedhereinabove, or a combination thereof. This allows cloud computingenvironment 400 to offer infrastructure, platforms and/or software asservices for which a cloud consumer does not need to maintain resourceson a local computing device. It is understood that the types ofcomputing devices 414-419 shown in FIG. 4 are intended to beillustrative only and that cloud computing nodes 412 and cloud computingenvironment 400 can communicate with any type of computerized deviceover any type of network and/or network addressable connection (e.g.,using a web browser).

Referring now to FIG. 5, a set of functional abstraction layers 520provided by cloud computing environment 400 (as depicted in FIG. 4) isshown. It should be appreciated that the components, layers, andfunctions of functional abstraction layers 520 depicted in FIG. 5 areillustrative only, and embodiments of the invention are not limitedthereto. As depicted, the following layers and corresponding functionsare provided:

A hardware and software layer 522 can include hardware and softwarecomponents. Examples of hardware components can include, for example,mainframes 524, RISC (Reduced Instruction Set Computer) architecturebased servers 526, servers 528, blade servers 530, storage devices 532,and networks and networking components 534. In some embodiments,software components include network application server software 536 anddatabase software 538.

A virtualization layer 539 can provide an abstraction layer from whichthe following examples of virtual entities can be provided: virtualservers 540, virtual storage 542, virtual networks 544, which caninclude virtual private networks, virtual applications and operatingsystems 546, and virtual clients 548.

In one example, a management layer 550 can provide the functionsdescribed below. A resource provisioning module 552 can provide dynamicprocurement of computing resources and other resources that can beutilized to perform tasks within the cloud computing environment. Ametering and pricing resource 554 can provide cost tracking as resourcesare utilized within the cloud computing environment, and billing orinvoicing for consumption of these resources. In one example, meteringand pricing resources can include application software licenses. A userportal 556 can provide access to cloud computing environment 400 forconsumers and system administrators (not shown). In some embodiments,user portal 556 can provide security and/or identity verification forcloud consumers (e.g., one or more consumers operating one or more ofcomputing devices 414-419) and tasks, as well as protection for data andother resources. A service level management resource 558 can providecloud computing resource allocation and management such that requiredservice levels are met. A service level agreement (SLA) planning andfulfillment resource 560 can provide pre-arrangement for, andprocurement of cloud computing resources for which a future requirementis anticipated in accordance with an SLA.

A workloads layer 562 can provide functionality for which the cloudcomputing environment can be utilized. For example, workloads layer 562can include a mapping and navigation resource 564, a softwaredevelopment and lifecycle management resource 566, a virtual classroomeducation delivery resource 568, a data analytics processing resource570, a transaction processing resource 572, and connection rule resource574.

FIG. 6 illustrates a block diagram of an exemplary computing environmentand computer system 600 for use in practicing the embodiments describedherein. The environment and system described herein can be implementedin hardware, software (e.g., firmware), or a combination thereof. In anexemplary embodiment, a hardware implementation can include amicroprocessor of a special or general-purpose digital computer, such asa personal computer, workstation, minicomputer, or mainframe computer.Computer 600 therefore can embody a general-purpose computer. In anotherexemplary embodiment, the implementation can be part of a mobile device,such as, for example, a mobile phone, a personal data assistant (PDA), atablet computer, etc.

As shown in FIG. 6, the computer 600 includes processor 601. Computer600 also includes memory 602 communicatively coupled to processor 601,and one or more input/output adapters 603 that can be communicativelycoupled via system bus 605. Memory 602 can be communicatively coupled toone or more internal or external memory devices via a storage interface608.

Communications adapter 616 can communicatively connect computer 600 toone or more networks 606. According to one exemplary embodiment,communications adapter 616 is a separate appliance from RoCE adapter114.

System bus 605 can communicatively connect one or more user interfacesvia input/output (I/O) adapter 603. I/O adapter 603 can connect aplurality of input devices 604 to computer 600. Input devices caninclude, for example, a keyboard, a mouse, a microphone, a sensor, etc.System bus 605 can also communicatively connect one or more outputdevices 607 via I/O adapter 603. Output device 607 can include, forexample, a display, a speaker, a touchscreen, etc.

Processor 601 is a hardware device for executing program instructions(aka software), stored in a computer-readable memory (e.g., memory 602).Processor 601 can be any custom made or commercially availableprocessor, a central processing unit (CPU), a plurality of CPUs, forexample, CPU 601 a-601 c, an auxiliary processor among several otherprocessors associated with the computer 600, a semiconductor basedmicroprocessor (in the form of a microchip or chip set), or generallyany device for executing instructions. Processor 601 can include a cachememory 622, which can include, but is not limited to, an instructioncache to speed up executable instruction fetch, a data cache to speed updata fetch and store, and a Translation Lookaside Buffer (TLB) used tospeed up virtual-to-physical address translation for both executableinstructions and data. Cache memory 622 can be organized as a hierarchyof more cache levels (L1, L2, etc.).

Processor 601 can be disposed in communication with one or more memorydevices (e.g., random access memory (RAM) 609, read only memory (ROM)610, one or more external databases 621, etc.) via a storage interface608. Storage interface 608 can also connect to one or more memorydevices including, without limitation, one or more databases 621, and/orone or more other memory drives (not shown) including, for example, aremovable disc drive, etc., employing connection protocols such asserial advanced technology attachment (SATA), integrated driveelectronics (IDE), universal serial bus (USB), fiber channel, smallcomputer systems interface (SCSI), etc. The memory drives can be, forexample, a drum, a magnetic disc drive, a magneto-optical drive, anoptical drive, a redundant array of independent discs (RAID), asolid-state memory device, a solid-state drive, etc. Variations ofmemory devices can be used for implementing, for example, list alldatabases from other figures.

Memory 602 can include random access memory (RAM) 609 and read onlymemory (ROM) 610. RAM 609 can be any one or combination of volatilememory elements (e.g., DRAM, SRAM, SDRAM, etc.). ROM 610 can include anyone or more nonvolatile memory elements (e.g., erasable programmableread only memory (EPROM), flash memory, electronically erasableprogrammable read only memory (EEPROM), programmable read only memory(PROM), tape, compact disc read only memory (CD-ROM), disk, cartridge,cassette or the like, etc.). Moreover, memory 602 can incorporateelectronic, magnetic, optical, and/or other types of non-transitorycomputer-readable storage media. Memory 602 can also be a distributedarchitecture, where various components are situated remote from oneanother, but can be accessed by processor 601.

The instructions in memory 602 can include one or more separateprograms, each of which can include an ordered listing ofcomputer-executable instructions for implementing logical functions. Inthe example of FIG. 6, the instructions in memory 602 can include anoperating system 611. Operating system 611 can control the execution ofother computer programs and provides scheduling, input-output control,file and data management, memory management, and communication controland related services.

The program instructions stored in memory 602 can further includeapplication data 612, and for a user interface 613.

I/O adapter 603 can be, for example but not limited to, one or morebuses or other wired or wireless connections. I/O adapter 603 can haveadditional elements (which are omitted for simplicity) such ascontrollers, microprocessors, buffers (caches), drivers, repeaters, andreceivers, which can work in concert to enable communications. Further,I/O adapter 603 can facilitate address, control, and/or data connectionsto enable appropriate communications among the aforementionedcomponents.

I/O adapter 603 can further include a display adapter coupled to one ormore displays. I/O adapter 603 can be configured to operatively connectone or more input/output (I/O) devices 607 to computer 600. For example,I/O 603 can connect a keyboard and mouse, a touchscreen, a speaker, ahaptic output device, or other output device. Output devices 607 caninclude but are not limited to a printer, a scanner, and/or the like.Other output devices can also be included, although not shown. Finally,the I/O devices connectable to I/O adapter 603 can further includedevices that communicate both inputs and outputs, for instance but notlimited to, a NIC or modulator/demodulator (for accessing other files,devices, systems, or a network), a radio frequency (RF) or othertransceiver, a telephonic interface, a bridge, a router, and the like.

According to some embodiments, computer 600 can include a mobilecommunications adapter 623. Mobile communications adapter 623 caninclude a global position system (GPS), cellular, mobile, and/or othercommunications protocols for wireless communication.

In some embodiments, computer 600 can further include communicationsadapter 616 for coupling to a network 606.

Network 606 can be an IP-based network for communication betweencomputer 600 and any external device. Network 606 transmits and receivesdata between computer 600 and devices and/or systems external tocomputer 600. In an exemplary embodiment, network 606 can be a managedIP network administered by a service provider. Network 606 can be anetwork internal to an aircraft, such as, for example, an avionicsnetwork, etc. Network 606 can be implemented in a wireless fashion,e.g., using wireless protocols and technologies, such as WiFi, WiMax,etc. Network 606 can also be a wired network, e.g., an Ethernet network,a controller area network (CAN), etc., having any wired connectivityincluding, e.g., an RS232 connection, R5422 connection, etc. Network 606can also be a packet-switched network such as a local area network, widearea network, metropolitan area network, Internet network, or othersimilar type of network environment. The network 606 can be a fixedwireless network, a wireless local area network (LAN), a wireless widearea network (WAN) a personal area network (PAN), a virtual privatenetwork (VPN), intranet or other suitable network system.

Network 606 can operatively connect computer 600 to one or more devicesincluding device 617, device 618, and device 620. Network 606 can alsoconnect computer 600 to one or more servers such as, for example, server619.

If computer 600 is a PC, workstation, laptop, tablet computer and/or thelike, the instructions in the memory 602 can further include a basicinput output system (BIOS) (omitted for simplicity). The BIOS is a setof routines that initialize and test hardware at startup, startoperating system 611, and support the transfer of data among theoperatively connected hardware devices. The BIOS is typically stored inROM 610 so that the BIOS can be executed when computer 600 is activated.When computer 600 is in operation, processor 601 can be configured toexecute instructions stored within the memory 602, to communicate datato and from the memory 602, and to generally control operations of thecomputer 600 pursuant to the instructions.

The present invention can be a system, a method, and/or a computerprogram product at any possible technical detail level of integration.The computer program product can include a computer readable storagemedium (or media) having computer readable program instructions thereonfor causing a processor to carry out aspects of the present invention.

The computer readable storage medium can be a tangible device that canretain and store instructions for use by an instruction executiondevice. The computer readable storage medium can be, for example, but isnot limited to, an electronic storage device, a magnetic storage device,an optical storage device, an electromagnetic storage device, asemiconductor storage device, or any suitable combination of theforegoing. A non-exhaustive list of more specific examples of thecomputer readable storage medium includes the following: a portablecomputer diskette, a hard disk, a random access memory (RAM), aread-only memory (ROM), an erasable programmable read-only memory (EPROMor Flash memory), a static random access memory (SRAM), a portablecompact disc read-only memory (CD-ROM), a digital versatile disk (DVD),a memory stick, a floppy disk, a mechanically encoded device such aspunch-cards or raised structures in a groove having instructionsrecorded thereon, and any suitable combination of the foregoing. Acomputer readable storage medium, as used herein, is not to be construedas being transitory signals per se, such as radio waves or other freelypropagating electromagnetic waves, electromagnetic waves propagatingthrough a waveguide or other transmission media (e.g., light pulsespassing through a fiber-optic cable), or electrical signals transmittedthrough a wire.

Computer readable program instructions described herein can bedownloaded to respective computing/processing devices from a computerreadable storage medium or to an external computer or external storagedevice via a network, for example, the Internet, a local area network, awide area network and/or a wireless network. The network can comprisecopper transmission cables, optical transmission fibers, wirelesstransmission, routers, firewalls, switches, gateway computers and/oredge servers. A network adapter card or network interface in eachcomputing/processing device receives computer readable programinstructions from the network and forwards the computer readable programinstructions for storage in a computer readable storage medium withinthe respective computing/processing device.

Computer readable program instructions for carrying out operations ofthe present invention can be assembler instructions,instruction-set-architecture (ISA) instructions, machine instructions,machine dependent instructions, microcode, firmware instructions,state-setting data, configuration data for integrated circuitry, oreither source code or object code written in any combination of one ormore programming languages, including an object oriented programminglanguage such as Smalltalk, C++, or the like, and procedural programminglanguages, such as the “C” programming language or similar programminglanguages. The computer readable program instructions can executeentirely on the user's computer, partly on the user's computer, as astand-alone software package, partly on the user's computer and partlyon a remote computer or entirely on the remote computer or server. Inthe latter scenario, the remote computer can be connected to the user'scomputer through any type of network, including a local area network(LAN) or a wide area network (WAN), or the connection can be made to anexternal computer (for example, through the Internet using an InternetService Provider). In some embodiments, electronic circuitry including,for example, programmable logic circuitry, field-programmable gatearrays (FPGA), or programmable logic arrays (PLA) can execute thecomputer readable program instructions by utilizing state information ofthe computer readable program instructions to personalize the electroniccircuitry, in order to perform aspects of the present invention.

Aspects of the present invention are described herein with reference toflowchart illustrations and/or block diagrams of methods, apparatus(systems), and computer program products according to embodiments of theinvention. It will be understood that each block of the flowchartillustrations and/or block diagrams, and combinations of blocks in theflowchart illustrations and/or block diagrams, can be implemented bycomputer readable program instructions.

These computer readable program instructions can be provided to aprocessor of a general purpose computer, special purpose computer, orother programmable data processing apparatus to produce a machine, suchthat the instructions, which execute via the processor of the computeror other programmable data processing apparatus, create means forimplementing the functions/acts specified in the flowchart and/or blockdiagram block or blocks. These computer readable program instructionscan also be stored in a computer readable storage medium that can directa computer, a programmable data processing apparatus, and/or otherdevices to function in a particular manner, such that the computerreadable storage medium having instructions stored therein comprises anarticle of manufacture including instructions which implement aspects ofthe function/act specified in the flowchart and/or block diagram blockor blocks.

The computer readable program instructions can also be loaded onto acomputer, other programmable data processing apparatus, or other deviceto cause a series of operational steps to be performed on the computer,other programmable apparatus or other device to produce a computerimplemented process, such that the instructions which execute on thecomputer, other programmable apparatus, or other device implement thefunctions/acts specified in the flowchart and/or block diagram block orblocks.

The flowchart and block diagrams in the Figures illustrate thearchitecture, functionality, and operation of possible implementationsof systems, methods, and computer program products according to variousembodiments of the present invention. In this regard, each block in theflowchart or block diagrams can represent a module, segment, or portionof instructions, which comprises one or more executable instructions forimplementing the specified logical function(s). In some alternativeimplementations, the functions noted in the blocks can occur out of theorder noted in the Figures. For example, two blocks shown in successioncan, in fact, be executed substantially concurrently, or the blocks cansometimes be executed in the reverse order, depending upon thefunctionality involved. It will also be noted that each block of theblock diagrams and/or flowchart illustration, and combinations of blocksin the block diagrams and/or flowchart illustration, can be implementedby special purpose hardware-based systems that perform the specifiedfunctions or acts or carry out combinations of special purpose hardwareand computer instructions.

The descriptions of the various embodiments of the present inventionhave been presented for purposes of illustration, but are not intendedto be exhaustive or limited to the embodiments disclosed. Manymodifications and variations will be apparent to those of ordinary skillin the art without departing from the scope and spirit of the describedembodiments. The terminology used herein was chosen to best explain theprinciples of the embodiments, the practical application or technicalimprovement over technologies found in the marketplace, or to enableothers of ordinary skill in the art to understand the embodimentsdisclosed herein.

1.-10. (canceled)
 11. A system for establishing a secure connectioncomprising: a host device having a processor configured to: establish aTransmission Control Protocol (TCP) connection between the host deviceand a client device via a host device network adapter; forward, from thehost device, Internet Protocol Security (IPSec) Security Associations(SAs) and related keys to a Remote Direct Memory Access over ConvergedEthernet (RoCE) adapter on the host device for remote direct memoryaccess; and communicate protected data via the RoCE adapter operativelyconnected with the host device to and from the client device over anRoCE connection using the IPSec SAs and related keys.
 12. The system ofclaim 11, wherein establishing the TCP connection between the hostdevice and the client device comprises establishing the IPSec SAs via aprocessor on the host device, wherein a TCP 3-way handshake and a CLCexchange over the TCP connection between the host device and the clientdevice are protected by the IPSec SAs.
 13. The system of claim 11,wherein communicating the protected data comprises sending and receivingdata via the RoCE adapter on the host device to and from a second RoCEadapter on the client device under protection of the IPSec SAs, wherein,for each respective RoCE adapter, the protected data is enforced by anIPSec component of the RoCE adapter on the host device of a TCP/IP stackon the host device using the SAs that were forwarded by the host device.14. The system of claim 13, wherein the host device is furtherconfigured to: negotiate Shared Memory Communications Over Remote DirectMemory Access (SMC-R) with the client device via a processor over thenetwork adapter, wherein the negotiating is based on a TCP 3-wayhandshake as well as a CLC exchange that occurs over the TCP connection.15. The system of claim 14, wherein after the negotiating, the RoCEadapter on the host device forwards a new connection proposal message tothe client device for the SMC-R after performing the TCP 3-way handshakeand CLC exchange.
 16. The system of claim 15, wherein the processor isfurther configured to: associate a queue pair (QP) through the RoCEadapter on the host device responsive to an affirmative result of thenegotiating; and communicate the protected data via the RoCE adapter onthe host device over the QP using the forwarded IPSec SAs.
 17. Thesystem of claim 16, wherein the QP has a highest available cryptographicprotection, and the processor requests the QP having the highestavailable cryptographic protection by default.
 18. The system of claim16, wherein the processor is further configured to: evaluate whether alldata traffic that will flow on the RoCE adapter on the host device willrequire IPSec protection; and responsive to determining that less thanall data traffic that will flow on the RoCE adapter on the host devicewill require cryptographic encryption, forward a new connection proposalmessage to the client device requesting association of at least onequeue pair.
 19. The system claim 18, wherein the processor is furtherconfigured to: associate one or more of a first QP, a second QP and athird QP, wherein the first QP is established for non-IPSec traffic andhas a highest available cryptographic protection, the second QP isestablished for IPSec traffic and has no cryptographic protection, andthe third QP is established for IPSec traffic and has an intermediatelevel of cryptographic protection.
 20. A computer program product forestablishing a secure connection over Transmission Control Protocol(TCP), the computer program product comprising a computer readablestorage medium having program instructions embodied therewith, theprogram instructions executable by a processor to cause the processor toperform a method comprising: establishing a TCP connection between ahost device and a client device via a host device network adapter;forwarding, from the host device, Internet Protocol Security (IPSec)Security Associations (SAs) and related keys to a Remote Direct MemoryAccess over Converged Ethernet (RoCE) adapter on the host device forremote direct memory access; and communicating protected data via theRoCE adapter on the host device to and from the client device over anRoCE connection using the IPSec SAs and related keys.